Search squid archive

Re: IPv6 and TPROXY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I will try to reproduce and then I will respond.
I don't know what you are trying to do exactly but if you are receiving an ICMP reject it's probably because of a good reason.
Have you seen something in squid access.logs?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, August 10, 2017 06:49
To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  IPv6 and TPROXY

Hello Eliezer

ip -6 rule is this

0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this
<BEGIN>

# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017

<END>

Thanks,
Walter

On 10.08.2017 02:18, Eliezer Croitoru wrote:
> Can you attach or paste\gist the output of:
> iptables-save
> ip6tables-save
> ip rule
> ??
> It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer@xxxxxxxxxxxx
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Walter H.
> Sent: Tuesday, August 8, 2017 17:15
> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject:  IPv6 and TPROXY
>
> Hello,
>
> I did at the ip6tables like this:
> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129
>
> in squid.conf I added
>
> http_port  ipv6lan:3129 tproxy
>
> I added the following also this rule to ip6tables
>
> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
> -m state --state NEW -j ACCEPT
>
> when I have tcpdump run, I get this:
>
> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
> ecr 0,nop,wscale 5], length 0
> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>
> when doing:
>
> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>
> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>
> what am I missing?
>
> Thanks
> Walter



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux